Preparing for ISO 13485 Certification in 5 Steps

The author provides five steps in preparing for the ISO 13485 certification process, and his insights and tips for each step are reviewed.

A LinkedIn connection of mine recently asked for sources of good guidance on ISO 13485 registration. I wrote a blog recently about Quality Management Systems in General, but I had trouble finding resources specific to the ISO 13485 registration process. Therefore, I decided to write a blog to answer this question.

Typically, people learn the hard way by setting up a system from scratch. The better way to discover it is to take a course on it. I used to teach a two-day course on the topic for BSI. The link for this course is; I shortened the link to the BSI website.

Other registrars offer this course too. I suspect you can find a webinar on this through TUV SÜD, BSI, SGS, LNE/GMED, Dekra, etc. from time to time.

The only registrar I could find that described the process step-by-step was Dekra. I have copied their steps below:

 ISO 13485 Certification: Inquiry to Surveillance in 5 Steps

1. Inquiry

An initial meeting between [THE REGISTRAR] and the client can take place on-site or via teleconference. At this time, the client familiarizes [THE REGISTRAR] with company specifics, and it’s quality assurance certification requirements; [THE REGISTRAR] explains its working methods and partnering philosophy, and previews the details of the process.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

As a client, I have completed two initial certifications personally and three transfers, but I have only once had the sales representative visit my company. I think this process is typically accomplished by phone and email. If any registrars are reading this, you will close on more accounts if you visit prospective clients personally. The one that visited my company (Robert Dostert) has been on speed dial for almost a decade, and he’s received repeat business.



2. Application Form

The client chooses to move forward by filling out an online application form. Based on the information obtained during the inquiry stage, along with the application form, [THE REGISTRAR] prepares a quote, free of charge, for the entire certification process. A client-signed quotation or purchase order leads to the first stage of the certification process.

my two cents1 Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

For both of the Notified Body transfers I completed, I completed application forms and requested quotes from multiple Notified Bodies. During the quoting process, my friend Robert was more responsive and able to answer my questions better than the competition. Robert was also able to schedule earlier audit dates than the competition. To this day, I am still amazed that Notified Bodies are not more responsive during this initial quoting process. All of the Notified Bodies are offering a certificate (a commodity). The customer service provided by each Notified Body, however, is not a commodity. Each Notified Body has its own culture, and every Notified Body has good and bad auditors. Therefore, you need to treat this selection process, just like any other supplier selection decision. I have guided this specific selection process on more than one occasion, but I am definitely biased.

 3. Phase One: Document Review and Planning Visit
%name Preparing for ISO 13485 Certification in 5 Steps

LNE/GMED Flow Diagram for the process of ISO 13485 Certification

At this stage, [THE REGISTRAR] performs a pre-certification visit, which entails verifying the documented quality systems against the applicable standard. [THE REGISTRAR] works with the client to establish a working plan to define the [THE REGISTRAR] quality auditing process. If the client wishes, [THE REGISTRAR] will perform a trial audit or “dress rehearsal” at this stage. This allows the client to choose business activities for auditing, and to test those activities against the applicable standard. It also allows the client to learn and experience [THE REGISTRAR] ‘s quality auditing methods and style. The results of the trial audit can be used toward certification. Most clients elect for one or two days of trial auditing.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

Dekra’s statement that “The results of the trial audit can be used toward certification,” is 100% opposite from BSI’s policy. BSI calls this a pre-assessment. The boilerplate wording used in BSI quotations is, “The pre-assessment is an optional service that is an informal assessment activity intended to identify areas of concern where further attention would be beneficial and to assess the readiness of the quality management system for the initial formal assessment.” During these pre-assessments, BSI auditors explain that any findings during the pre-assessment will not be used during the Stage 1 and Stage 2 certification audits, and the client will start with a “clean slate.” Most of the clients I conducted pre-assessments for were skeptical of this. Still, most auditors are ethical and make every effort to avoid even the perception of biasing their sampling during Stage 1 and Stage 2 audits.

I highly recommend conducting a pre-assessment. You want an extremely thorough and tough pre-assessment so that the organization is well prepared for the certification audits. If the auditor that will be conducting the Stage 1 and Stage 2 audit is not available to do a pre-assessment, try to find a consultant that knows the auditor’s style and “hot buttons” well. FYI…You can almost always encourage me to do a little teaching when I’m auditing (I just can’t resist), and my “hot buttons” are CAPA,  internal auditing, and design controls.

 4. Phase Two: Final Certification Audit

Once the client’s documented systems have met the applicable standards, [THE REGISTRAR] will conduct an audit to determine its effective implementation.  [THE REGISTRAR] uses a professional auditing interview-style instead of a simple checklist approach. This involves interviewing the authorized and responsible personnel as designated in the documented quality system.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

For certification audits, ISO 17021 requires a Stage 1 and Stage 2 audit to be conducted. The combined duration of the certification audits must be in accordance with the IAF MD9 guidance document–which is primarily based upon the number of employees in the company. The “interview style” that Dekra is referring to is called the “Process Approach.” This is required in section 0.2 of the ISO 13485 Standard, and this is the primary method recommended by the ISO 19011 Standard for auditing–although other methods of auditing are covered, as well.


5. Surveillance

[THE REGISTRAR] arranges for surveillance audits semi-annually or annually, as requested by the client.

%name Preparing for ISO 13485 Certification in 5 Steps

Rob’s 2 Cents

I highly recommend annual surveillance audits, because the short duration of surveillance audits becomes unrealistically short when the auditor is asked to split their time between two semi-annual visits. A few clients have indicated that the semi-annual audits help them by maintaining pressure on the organization to be ready for audits all year-round, and prevents them from procrastinating to implement corrective actions. This is an issue of management commitment that needs to be addressed by the company. Scheduling semi-annual surveillance audits don’t address the root cause. The only good argument I have for semi-annual cycles is if you have very large facilities that would have an audit duration of at least two days on a semi-annual basis.

The most important consideration related to scheduling surveillance audits is to ensure that you schedule the audits well before the anniversary date. I recommend 11 months between audits. By doing this, you end up scheduling the re-certification audits three months before the certificate expires. BSI has a different policy. They want auditors to schedule the first surveillance audit ten months after the Stage 2 audit, the second surveillance audit 12 months after the first surveillance audit, and then the re-certification audit must be scheduled at least 60 days before certificate expiration (i.e.,  – no more than 12 months after the second surveillance audit). No matter what, schedule early.

If you have additional questions about becoming ISO 13485 registered, please post a discussion question in the following LinkedIn subgroup: Medical Device: QA/RA. For example, on Monday, a new discussion question was posted asking for help with the selection of a Notified Body for CE Marking. You will need to become a member of the parent group (Medical Device Group)–if you are not already one of the 140,000+ members connected with Joe Hage. George Marcel and I manage this subgroup for Joe. George is out in the Bay Area, and I’m in the Green Mountains.

Posted in: ISO Certification

Leave a Comment (5) ↓


  1. Dan Ahlgren October 28, 2013

    Rob: Good Morning

    Can you tell me what ISO certifications are required prior to ISO 13485 certification? Maybe you could provide a web site to consult.

    Thank you in advance


    • Rob Packard October 28, 2013

      Hi Dan,

      That was a perfectly timed question, because I have a blog going out this Friday with that question answered perfectly. However, since you were kind enough to post the question, I’ll send you an email with the draft blog posting today.

      The quick answer to your question is that there are no other certifications required prior to ISO 13485 for a medical device company. In fact, technically only Canada is “requiring” ISO 13485. CE Marking presumes compliance with the directives when you are ISO 13485 certified, but it’s not required. I hope this helps.

      Best Regards,
      Rob Packard

  2. Dan Ahlgren October 28, 2013

    Also is ISO 13485 certification required for CE self declaration of conformance for a CE Mark for a medical devise?

    • Rob Packard October 28, 2013

      No. It’s not required for a Class I device that is non-sterile and non-measuring (i.e., CE self-declaration of conformity as per Annex VII). If the company has no presence in the EU, they will need an Authorized Representative who is required to verify compliance with the MDD or other applicable Directive(s). You may have some trouble with individual countries that will not allow registration without proof in the form of a certificate, but your Authorize Representative should be able to answer that question. It’s important to have a specific country(s) in mind before you ask the question.


Leave a Comment

Time limit is exhausted. Please reload the CAPTCHA.